2019-01-25 18:05:21 +00:00
|
|
|
// Copyright (C) 2018 Storj Labs, Inc.
|
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
2019-01-28 19:45:25 +00:00
|
|
|
"github.com/gogo/protobuf/proto"
|
2019-01-25 18:05:21 +00:00
|
|
|
"github.com/zeebo/errs"
|
|
|
|
|
|
|
|
"storj.io/storj/pkg/identity"
|
|
|
|
"storj.io/storj/pkg/peertls"
|
2019-02-07 18:40:28 +00:00
|
|
|
"storj.io/storj/pkg/pkcrypto"
|
2019-01-25 18:05:21 +00:00
|
|
|
"storj.io/storj/pkg/storj"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2019-01-28 19:45:25 +00:00
|
|
|
//ErrSign indicates a failure during signing
|
|
|
|
ErrSign = errs.Class("Failed to sign message")
|
|
|
|
//ErrVerify indicates a failure during signature validation
|
|
|
|
ErrVerify = errs.Class("Failed to validate message signature")
|
|
|
|
//ErrSigLen indicates an invalid signature length
|
|
|
|
ErrSigLen = errs.Class("Invalid signature length")
|
|
|
|
//ErrSerial indicates an invalid serial number length
|
|
|
|
ErrSerial = errs.Class("Invalid SerialNumber")
|
|
|
|
//ErrExpired indicates the agreement is expired
|
|
|
|
ErrExpired = errs.Class("Agreement is expired")
|
|
|
|
//ErrSigner indicates a public key / node id mismatch
|
|
|
|
ErrSigner = errs.Class("Message public key did not match expected signer")
|
|
|
|
//ErrBadID indicates a public key / node id mismatch
|
|
|
|
ErrBadID = errs.Class("Node ID did not match expected id")
|
|
|
|
|
|
|
|
//ErrMarshal indicates a failure during serialization
|
|
|
|
ErrMarshal = errs.Class("Could not marshal item to bytes")
|
|
|
|
//ErrUnmarshal indicates a failure during deserialization
|
|
|
|
ErrUnmarshal = errs.Class("Could not unmarshal bytes to item")
|
|
|
|
//ErrMissing indicates missing or empty information
|
|
|
|
ErrMissing = errs.Class("Required field is empty")
|
2019-01-25 18:05:21 +00:00
|
|
|
)
|
|
|
|
|
2019-01-28 19:45:25 +00:00
|
|
|
//SignableMessage is a protocol buffer with a certs and a signature
|
|
|
|
//Note that we assume proto.Message is a pointer receiver
|
|
|
|
type SignableMessage interface {
|
|
|
|
proto.Message
|
|
|
|
GetCerts() [][]byte
|
|
|
|
GetSignature() []byte
|
|
|
|
SetCerts([][]byte)
|
|
|
|
SetSignature([]byte)
|
|
|
|
}
|
|
|
|
|
|
|
|
//SignMessage adds the crypto-related aspects of signed message
|
|
|
|
func SignMessage(msg SignableMessage, ID identity.FullIdentity) error {
|
|
|
|
if msg == nil {
|
|
|
|
return ErrMissing.New("message")
|
|
|
|
}
|
|
|
|
msg.SetSignature(nil)
|
|
|
|
msg.SetCerts(nil)
|
|
|
|
msgBytes, err := proto.Marshal(msg)
|
|
|
|
if err != nil {
|
|
|
|
return ErrMarshal.Wrap(err)
|
|
|
|
}
|
2019-02-07 20:39:20 +00:00
|
|
|
signature, err := pkcrypto.HashAndSign(ID.Key, msgBytes)
|
2019-01-28 19:45:25 +00:00
|
|
|
if err != nil {
|
|
|
|
return ErrSign.Wrap(err)
|
|
|
|
}
|
|
|
|
msg.SetSignature(signature)
|
|
|
|
msg.SetCerts(ID.ChainRaw())
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-01-25 18:05:21 +00:00
|
|
|
//VerifyMsg checks the crypto-related aspects of signed message
|
2019-01-28 19:45:25 +00:00
|
|
|
func VerifyMsg(msg SignableMessage, signer storj.NodeID) error {
|
|
|
|
//setup
|
|
|
|
if msg == nil {
|
|
|
|
return ErrMissing.New("message")
|
|
|
|
} else if msg.GetSignature() == nil {
|
|
|
|
return ErrMissing.New("message signature")
|
|
|
|
} else if msg.GetCerts() == nil {
|
|
|
|
return ErrMissing.New("message certificates")
|
2019-01-25 18:05:21 +00:00
|
|
|
}
|
2019-01-28 19:45:25 +00:00
|
|
|
signature := msg.GetSignature()
|
|
|
|
certs := msg.GetCerts()
|
|
|
|
msg.SetSignature(nil)
|
|
|
|
msg.SetCerts(nil)
|
|
|
|
msgBytes, err := proto.Marshal(msg)
|
|
|
|
if err != nil {
|
|
|
|
return ErrMarshal.Wrap(err)
|
|
|
|
}
|
|
|
|
//check certs
|
2019-01-25 18:05:21 +00:00
|
|
|
if len(certs) < 2 {
|
2019-01-28 19:45:25 +00:00
|
|
|
return ErrVerify.New("Expected at least leaf and CA public keys")
|
2019-01-25 18:05:21 +00:00
|
|
|
}
|
2019-01-28 19:45:25 +00:00
|
|
|
err = peertls.VerifyPeerFunc(peertls.VerifyPeerCertChains)(certs, nil)
|
2019-01-25 18:05:21 +00:00
|
|
|
if err != nil {
|
2019-01-28 19:45:25 +00:00
|
|
|
return ErrVerify.Wrap(err)
|
2019-01-25 18:05:21 +00:00
|
|
|
}
|
2019-02-07 20:39:20 +00:00
|
|
|
leaf, err := pkcrypto.CertFromDER(certs[0])
|
2019-01-25 18:05:21 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-02-07 20:39:20 +00:00
|
|
|
ca, err := pkcrypto.CertFromDER(certs[1])
|
2019-01-25 18:05:21 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-01-28 19:45:25 +00:00
|
|
|
// verify signature
|
2019-02-07 20:39:20 +00:00
|
|
|
if id, err := identity.NodeIDFromKey(ca.PublicKey); err != nil || id != signer {
|
2019-01-28 19:45:25 +00:00
|
|
|
return ErrSigner.New("%+v vs %+v", id, signer)
|
2019-01-25 18:05:21 +00:00
|
|
|
}
|
2019-02-07 20:39:20 +00:00
|
|
|
if err := pkcrypto.HashAndVerifySignature(leaf.PublicKey, msgBytes, signature); err != nil {
|
|
|
|
return ErrVerify.New("%+v", err)
|
2019-01-25 18:05:21 +00:00
|
|
|
}
|
2019-01-28 19:45:25 +00:00
|
|
|
//cleanup
|
|
|
|
msg.SetSignature(signature)
|
|
|
|
msg.SetCerts(certs)
|
2019-01-25 18:05:21 +00:00
|
|
|
return nil
|
|
|
|
}
|